DOL Contract No. K4781 
DOL Account No. 911184 
Contractor Contract No._ 

INTERAGENCY DISCLOSURE DRIVER AND PLATE SEARCH (DAPS) 

DATA SHARING AGREEMENT 
BETWEEN 

THE STATE OF WASHINGTON 
DEPARTMENT OF LICENSING 
AND 

DEPARTMENT OF HOMELAND SECURITY, IMMIGRATION & CUSTOMS ENFORCEMENT 

DETENTION & REMOVAL OPERATIONS 

This Agreement is made and entered into between the Department of Licensing, hereinafter referred to 
as DOL, and the Department of Homeland Security, Immigration & Customs Enforcement, Detention & 
Removal Operations. Upon execution, this Agreement cancels and supersedes DOL Contract No. 
K2217. 

Department of Homeland Security 
Immigration & Customs Enforcement 
Detention & Removal Operations 
3701 River Rd 
Yakima, WA 98902 

Hereinafter referred to as the “Contractor “or “USER". 

TERMS AND CONDITIONS 

1. PURPOSE 

The Driver and Plate Search (DAPS) is a system established by DOL that discloses vehicle and driver 
record information. DAPS is used by law enforcement, 911 communication dispatch centers, courts, 
government investigators, and other government agencies based on expressed need as permitted by 
law. This is authorized by state and federal laws governing the release of such information and is 
obtained in accordance with Revised Code Washington (RCW) chapters 42.56 RCW, 46.12 RCW, 
46.52 RCW and Washington Administrative Code (WAC) 308-10 and Chapter 18 USC Sec. 2721 -2725 
Driver Privacy Protection Act (DPPA). 

NOTE*- DAPS does not provide the optional mailing address for a registered owner(s) of the vehicle 
record. The optional mailing is used to mail notifications to the registered owner(s) of vehicles. DAPS 
only displays the primary residence address, which is not always the address used for notifications to 
customers and may be different from the optional mailing address. 

DAPS is not intended to be used by courts or government agencies having jurisdiction over standing, 
stopping, parking violations or other infractions, e.g. automated traffic safety cameras, or automated 
school bus safety cameras to notify the registered owner(S) of a vehicle related to RCW 46.16A.120. 

To do so may result in the notification not being delivered to the intended recipient, and is at the risk of 
the Contractor, not DOL. 

DOL will not be liable for any inaccuracy that may occur with the information obtained from the vehicle 
record. Contractor assumes all liabilities for how information is used and with any notifications made to 
the registered owner(s) of a vehicle using information obtained from the DAPS system. 

This Agreement provides the terms and conditions under which such information is provided for 
inspection and copying of records. 

THEREFORE, IT IS MUTUALLY AGREED THAT: 

2. DEFINITIONS 

As used throughout this Agreement, the following terms shall have the meanings set forth below: 

2.1 Confidential Information shall mean information that may be exempt from disclosure to the public 
or other unauthorized persons under either chapter 42.56 RCW, or other state or federal statutes. 
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Confidential Information includes, but is not limited to, social security numbers, credit card 
information, driver license numbers, personal information, law enforcement records, agency security 
data, and banking profiles. 

2.2 Contractor means the primary agency, firm, provider, organization, individual, agent and/or other 
entity performing services or accessing the DAPS data system under this contract. 

2.3 Data means information contained in the vehicle and driver records provided to Contractor under 
this Agreement. 

2.4 Individually Identifiable Health Information is a subset of health information, including 
demographic information collected from an individual and relates to the past, present, or future 
physical or mental health or condition of an individual; the provision of health care to an individual; or 
the past, present or future payment for the provision of health care to an individual, as set forth in 45 
CFR £, 164.501 as currently enacted and subsequently amended or revised. 

2.5 Legal Owner -means the following information to include name, address, city, state, and excludes 
the five (5) digit zip code of the party listed as legal owner of a vehicle. 

2.6 Personal Information means information identifiable to any person, including, but not limited to 
information that relates to a person's name, health, finances, education, business, use or receipt of 
governmental services or other activities, addresses, telephone numbers, social security numbers, 
driver license numbers, e-mail addresses, credit card information, law enforcement records or other 
identifying numbers or Protected Health Information, any financial identifiers, and other information 
that may be exempt from disclosure to the public or other unauthorized persons under either RCW 
42.56.360, 42.56 RCW, or other state and federal statutes. 

2.7 Protected Health Information means Individually Identifiable Health Information that is transmitted 
by electronic media, or transmitted or maintained in any other form or medium, as set forth in 45 
CFR § 164.501, as currently enacted and subsequently amended or revised. 

2.8 Subcontractor means one not in the employment of a party to this Agreement, who is performing all or 
part of those services under this contract under a separate contract with a party to this Agreement. The 
terms "subcontractor" and "subcontractors" mean subcontractor(s) in any tier. 

2.9 USER means the Contractor, the Contractor employee(s) or agent(s) or authorized entity performing on 
behalf of the primary Contractor and who will access the DAPS data system. 

3. STATEMENT OF WORK 

The parties to this Agreement shall furnish the necessary personnel, equipment, material and/or service(s) 
and otherwise do all things necessary for, or incidental to, the exchange of data as set forth in the 

• Statement of Work, Attachment A; 

• Budget, Attachment B, 

• Driver and Plate Search (DAPS) Application and Employee List, Attachment C, 

• Driver and Plate Search (DAPS) Appropriate Use Declaration, Attachment D, 

• DOL Data Security Requirements, Attachment E, and 

• Driver and Plate Search (DAPS) Employee List Modification, Attachment F, 
which are attached hereto and incorporated by reference herein. 

4. PERIOD OF PERFORMANCE 

Subject to its other provisions, the period of performance of this Agreement shall begin on the date of 
execution, and end on December 31, 2015 unless extended or terminated sooner as provided herein. 
This Agreement may be extended for periods from one (1) to five (5) years in duration each for a 
maximum Period of Performance not to exceed fifteen (15) years and is at the exclusive option of the 
DOL and shall be affected by the DOL giving written notice of extension or renewal to Contractor prior to 
expiration as provided herein. 

Contractor must submit a new DAPS Application and Employee List for yearly and upon request to assist 
DOL in maintaining a current account of USERS Prior to an extension or renewal being issued the 
Contractor must submit a new DAPS Application. 

5. PAYMENT and BILLING PROCEDURE 

Payment for service(s) shall be in accordance with the Budget , Attachment B, attached hereto and 
incorporated herein. USER agrees to make payment of all fees due under this Agreement before 
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or concurrent with receiving the information requested, and USER will provide payment with each 
request for a hard copy of disclosure information. 

Upon expiration of the Agreement, any claim for payment not already made shall be submitted within 30 
days after the expiration date or the end of the fiscal year; whichever is earlier. 

6. RECORDS. DOCUMENTS 

The Contractor shall maintain books, records, documents and other evidence of data security 
procedures and practices. These records shall be subject at all reasonable times to inspection, review, 
or audit by personnel duly authorized by DOL, the Office of the State Auditor, and federal officials so 
authorized by law, rule, regulation, or Contract. The Contractor will retain all books, records, 
documents, and other materials relevant to this Contract for six (6) years after settlement, and make 
them available for inspection by persons authorized under this provision. The Contractor shall be 
responsible for any audit exceptions or disallowed costs incurred by the Contractor or any of its 
Subcontractors. 

7. CONFIDENTIALITY 

The use or disclosure by any party of any information concerning the other party for any purpose not 
directly connected with the administration of responsibilities, with respect to services provided under this 
Agreement, is prohibited except as otherwise required by law or by prior written consent of the other 
party. Each party shall maintain as confidential all information concerning study findings and 
recommendations, as well as the business of the other party, its financial affairs, and relations with its 
clientele and its employees, and any other information, which may be specifically classified as 
Confidential Information. To the extent consistent with Washington State law, each party shall maintain 
all information, which the other party specifies in writing as Confidential Information. Each party shall 
have an appropriate Agreement with its employees and subcontractors to this effect. 

8. SAFEGUARDING OF CONFIDENTIAL INFORMATION 

Each Party shall not use or disclose Confidential Information in any manner that would constitute a 
violation of federal law or applicable provisions of Washington State law. Each Party agrees to comply 
with all federal and state laws and regulations, regarding data security and electronic data interchange 
of Confidential Information. 

Each party shall protect Confidential Information collected, used, or acquired in connection with this 
Agreement, against unauthorized use, disclosure, modification or loss. Each party shall ensure their 
directors, officers; employees, subcontractors or agents use it solely for the purposes of accomplishing the 
services set forth in this Agreement. Each party and its Subcontractors agree not to release, divulge, 
publish, transfer, sell or otherwise make it known to unauthorized persons without the express written 
consent of the other party or as otherwise authorized by law. Each party agrees to implement physical, 
electronic, and managerial policies, procedures, and safeguards to prevent unauthorized access, use, or 
disclosure. “USER" shall make the Personal Information available to amend as directed by DOL and 
incorporate any amendments into all the copies maintained by “USER“or its Subcontractors. 

USER shall notify the DOL immediately of becoming aware of any unauthorized access, use or disclosure. 
Any breach of this clause may result in termination of the Agreement, suspension of on-line access 
accounts and the demand for return of all confidential information. 

9. RIGHTS IN DATA 

Unless otherwise provided, data, which originates from this Agreement shall be "works for hire" as defined 
by the U.S. Copyright Act of 1976 and shall be owned by the DOL. Data shall include, but not be limited to, 
reports, documents, pamphlets, advertisements, books magazines, surveys, studies, computer programs, 
films, tapes, and/or sound reproductions. Ownership includes the right to copyright, patent, register, and 
the ability to transfer these rights. 

10. SECURITY OF DATA 

The confidentiality classification of the data determines the handling requirements for this data while it is 
in motion and at rest. The required protective measures are: 
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A recent independent security review of DOL’s infrastructure recommended that all remote access to 
DOL's sensitive information be secured with strong authentication and encrypted communications. 

Given the security experts’ recommendation and the sensitivity of the data provided from the DAPS 
system, DOL believes a strong authentication mechanism is required to positively identify the user of the 
system irrespective of the network used to access the application. SecureAccess Washington is 
considered to have this strong authentication mechanism. 

Each party shall take due care to protect the shared data from unauthorized physical and electronic 
access as described in this Agreement. 

11. INDEPENDENT CAPACITY 

The employees or agents of each party who are engaged in the performance of this Agreement shall 
continue to be employees or agents of that party and shall not be considered for any purpose to be 
employees or agents of the other party. 

12. SUBCONTRACTING 

With prior written consent, either party may enter into subcontracts for any of the work or services 
contemplated under this Agreement. Consent shall not be unreasonably withheld. This clause does not 
include contracts of employment between a party and personnel assigned to work under this Agreement. 
Each party is responsible for ensuring that all terms, conditions, assurances and certifications set forth 
in this Agreement are carried forward to any subcontracts. 

13. AGREEMENT ALTERATIONS AND AMENDMENTS 

This Agreement may be amended by mutual Agreement of the parties. Such amendments shall not be 
binding unless they are in writing and signed by personnel authorized to bind each of the parties. 

14. TERMINATION FOR CONVENIENCE 

Either party may terminate this Agreement upon 30 days' prior written notification to the other party. If this 
Agreement is so terminated, the parties shall be liable only for performance rendered or costs incurred in 
accordance with the terms of this Agreement prior to the effective date of termination. 

15. TERMINATION FOR CAUSE 

If for any cause, either party does not fulfill in a timely and proper manner its obligations under this 
Agreement, or if either party violates any of these terms and conditions, the aggrieved party will give the 
other party written notice of such failure or violation. The responsible party will be given the opportunity to 
correct the violation or failure within 15 working days. If failure or violation is not corrected, this Agreement 
may be terminated immediately by written notice of the aggrieved party to the other. 

16. TERMINATION OF ACCESS 

Each party may at its discretion disqualify an individual authorized by the other party from gaining access 
to data pursuant to Driver and Plate Search Application and Employee List, Attachment C, which is 
attached hereto and incorporated by reference. Notice of termination of access will be by written notice 
and become effective upon receipt by the other party. Termination of access of one individual by either 
party does not affect other individuals authorized under this Agreement. 

17. DISPUTES 

In the event that a dispute arises under this Agreement, a Dispute Board shall determine it in the following 
manner: Each party to this Agreement shall appoint one member to the Dispute Board. 

The members so appointed shall jointly appoint an additional member to the Dispute Board. The Dispute 
Board shall review the facts, Agreement terms and applicable statutes and rules and make a determination 
of the dispute. The determination of the Dispute Board shall be final and binding on the parties hereto. As 
an alternative to this process, either of the parties may request intervention by the Governor, as provided by 
RCW 43.17.330, in which event the Governor’s process will control. 

18. GOVERNANCE 

This Contract shall be construed and interpreted in accordance with the laws of the state of Washington 
and the venue of any action brought hereunder shall be in the Superior Court for Thurston County. 
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19. ORDER OF PRECEDENCE 

Agreement is entered into pursuant to and under the authority granted by the laws of the state of 
Washington, and any applicable federal laws. The provisions of this Agreement shall be construed 
to conform to those laws. 

In the event of an inconsistency in the terms of this Agreement, or between its terms and any applicable 
statute or rule, the inconsistency shall be resolved by giving precedence in the following order: 

1. Applicable state and federal statutes and rules; 

2. Terms and Conditions set forth in this Agreement; 

3. Statement of Work; and any attachments; 

4. Any other provisions of the Agreement, including materials incorporated by reference. 

20. ASSIGNMENT 

The ability of the Contractor to obtain data pursuant to this Agreement shall not be assigned or 
delegated in whole or in part, except as expressly provided by this Agreement or by the express prior 
written consent of DOL. 

21. WAIVER 

A failure by either party to exercise its rights under this Agreement shall not preclude that party from 
subsequent exercise of such rights and shall not constitute a waiver of any other rights under this 
Agreement unless stated to be such in a writing signed by an authorized representative of the party and 
attached to the original Agreement. 

22. RIGHTS OF INSPECTION 

Each party shall provide right of access to the other party, or any of its officers, or to any other 
authorized agent or official of the state of Washington or the federal government at all reasonable times, 
in order to monitor and evaluate performance, compliance, and/or quality assurance of internal policies 
and procedures, and/or records relating to the safeguarding, use, and disclosure of Confidential 
Information obtained or used as a result of this Agreement. Each party shall make available information 
necessary for the other party to comply with an individual's right to access, amend, and receive an 
accounting of disclosures of their Confidential Information. 

23. SEVERABILITY 

If any provision of this Agreement or any provision of any document incorporated by reference shall be held 
invalid, such invalidity shall not affect the other provisions of this Agreement which can be given effect 
without the invalid provision, if such remainder conforms to the requirements of applicable law and the 
fundamental purpose of this Agreement, and to this end the provisions of this Agreement are declared to be 
severable. 

24. INDEMNIFICATION 

Each party to this agreement shall be responsible for its own acts and /or omissions and those of its 
officers, employees and agents. No party to this agreement shall be responsible for the acts and/or 
omissions of entities or individuals not a party to this agreement. 
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25. CONTRACT MANAGEMENT 

The contract manager for each of the parties shall be responsible for and shall be the contact person for 
all communications and billings regarding the performance of this Agreement. 


The Contract Manager is: 

The Contract Manager for DOL is: 

Mike Gladish 

Department of Homeland Security 
Immigration & Customs Enforcement 
Detention & Removal Operations 

3701 River Rd 

Yakima, WA 98902 

Phone: 509-574-6765 

FAX: 509-457-9284 

E-Mail: Michael.R.GIadish@ice.dhs.qov 

Dani Waldron 

Department of Licensing 

PO Box 2076 

Olympia, WA 98507-2076 

Phone: 360-902-3824 

FAX: 360-570-4924 

E-Mail: dwaldron@dol.wa.gov 


Program Support Communications 

All program support communications from the USER to DOL shall be directed through the DOL Client 
Support, see Program Support section in the Statement of Work, Attachment A, for contact information. 

26. ALL WRITINGS CONTAINED HEREIN 

This Contract including the following attachments: 

• A = Statement of Work 

• B = Budget 

• C = Driver and Plate Search (DAPS) Application and Employee List 

• D = Driver and Plate Search (DAPS) Appropriate Use Declaration 

• E = DOL Data Security Requirements 

• F = Driver and Plate Search (DAPS) Employee List Modification 

This Contract sets forth in full all the terms and conditions agreed upon by the parties. Any other 
agreement, representation, or understandings, verbal or otherwise, regarding the subject matter of this 
Contract shall be deemed to be null and void and of no force and effect whatsoever. 


IN WITNESS WHEREOF, the parties have executed this Agreement, affirm they have the authority to 
bind their respective parties to the terms and conditions of this Agreement. 



Department of Homeland Security 
Immigration & Cvstoms Enforcement 
Detention ATtemovaLOpefations 


(Print Name) 


State of Washington 
Department of Licensing 



U 


w 


n Stullick, Administrator 
acilities & Procurement 


iim 

(Date) 


(Federal Tax ID number or UBI) 
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ATTACHMENT A 
STATEMENT OF WORK 


27. SCOPE 

DAPS is used by the Department of Licensing (DOL) to respond to inquiries and is used to locate a 
vehicle or driver record when only partial information is available. DOL shall provide the application in a 
browser environment and is available for search queries 24 hours a day, except during system 
maintenance. 

DOL shall disclose vehicle and driver record information for inspection and hard copying when requested 
by USER over a secure Internet connection using DOL's DAPS application. Access to DAPS is for secure 
use by USER and USER'S employees only. 

The USER will also ensure that they will not share the information or provide screen prints of the DAPS with 
anyone outside the workplace, and will not use any information for their own purpose and/or benefit. Any 
use of the application by persons other than employees of the USER or for purposes other than to 
accomplish the USER'S official job functions is grounds for immediate termination of this Agreement as 
provided herein. 

28. PROGRAM SUPPORT 

The program support liaison for the USER shall be the primary contact for ail communications regarding: 

• Installation and operations of DAPS; 

• Registration process with SecureAccess Washington; 

• Troubleshooting issues or problems that occur; 

• User acceptance testing for system updates; 

• Law enforcement questions; 

• Processes for modifying, adding, terminating employees from Employee List and/or general 
questions; 

• Notification of system maintenance 


The Program Support for DOL is: 

Department of Licensing 
PO Box 2076 
Olympia, WA 98507-2076 

Phone: 360-902-3708 
FAX: 360-570-4943 

E-Mail: dapscomm@dol.wa.gov 
Mon- Fri. 8:00am to 5:00pm 


USERS Shall: 

1. Take all steps necessary to ensure the application is accessible and used only by authorized 
personnel to accomplish their official job functions. 

2. Obtain necessary forms from the DOL website at http://www.dol.wa.qov/forms (form numbers 420- 
201,420-202, 420-203, 420-205). 

3. Notify DOL in writing of employees who are eligible for access to the DAPS system using the 
DAPS Application and Employee List form incorporated herein by reference. 

4. Be responsible to immediately notify DOL in writing of any changes to the access eligibility by 
using the DAPS Employee List Modification incorporated herein by reference. 


File Name: K4781 

Statement of Work, Attachment A 


Page 7 of 16 


7/24/2013 





DOL Contract No. K4781 
DOL Account No. 911184 
Contractor Contract No._ 

5. Ensure the USER and USER’S employees and agents will maintain the confidentiality of vehicle 
and driver records by: 

a. protecting their account numbers and passwords; 

b. regularly changing passwords, by instructing users to change their password every 90 days, 
as recommended for security enhancement and by using hard to guess passwords; 
particularly when there are changes in personnel; 

c. instituting penalties for misuse of data; and 

d. ensuring that employees are familiar with the provisions of this contract. 

6. Have the ability and are responsible to cancel its SecureAccess account. 

7. With a written request to DOL, USER may be allowed to obtain hard copies of records: 

a. Copy of an individual vehicle/ and driver record may be provided as authorized in RCW 
46.12.380, RCW 46.52.120 and RCW 46.52.130. 

b. Lists of individual records may be provided as authorized in RCW 46.12.370 and RCW 
42.56. 

c. NOTE regarding the updating of information: 

i. Vehicle responses received may contain information that has not been updated for up 
to 48 hours. 

ii. Driver responses received may contain information that has not been updated for up 
to 24 hours. 

8. Require USER employees to register with SecureAccess Washington for each employee accessing 
the DAPS application. 

• USER is provided the following option for access to the DOL DAPS system, SecureAccess 
Washington (No Fee ) 

SecureAccess WA is a single sign-on application gateway created by Washington State's 
Department of Enterprise Services and allows Internet access to multiple online government 
services with the use of a unique single self-generated User-ID and password. 

29. DESCRIPTION OF DATA 

This Agreement governs the transfer and access to the vehicle and driver records. 

DOL shall disclose vehicle and driver records for inspection and copying when requested by USER in 
writing, by telephone, or over the Internet. 

Each request for disclosure shall be accompanied by the USER’S unique account code assigned by 
DOL. Costs incurred for records disclosed will be imposed as defined in this Agreement. 

30. DATA SECURITY 

Contractor shall comply with the requirements set forth in the DOL Data Security Requirements, 
Attachment E of this Contract. 

31. DATA CLASSIFICATION DECLARATION 

Data described in this data sharing Agreement is assessed to be in the following data classification: 


Confidential Information Requiring Special Handling 

Confidential information requiring special handling is information that is specifically protected from 
disclosure by law and for which: 

a. Especially strict handling requirements are dictated, such as by statutes, regulations, or 
agreements. 

b. Serious consequences could arise from unauthorized disclosure, such as threats to health 
and safety, or legal sanctions. 
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32. ACCESS TO DATA 

Method of Access/Transfer 

The data shall be provided by the DOL using SecureAccess Washington. 

Frequency of Data Exchange 
Repetitive: Continual as needed basis. 

Authorized Access to Data 

Access to “Confidential" or “Restricted Confidential" information is limited to individual agency staff and 
business partners who are specifically authorized and who have a business need-to-know. In 
accordance with the terms contained herein and prior to making the data available, the USER shall notify all 
staff with access to the data of the use and disclosure requirements. 

USER will be responsible for ensuring that all employees obtaining access to the DAPS application have 
reviewed this contract and signed the DAPS Appropriate Use Declaration form incorporated herein by 
reference. This form will be kept on file at the USER’S location. 

33. TERMINATION OF ACCESS 

Either party may at its discretion disqualify an individual authorized by the Agency from gaining access to 
data. Notice of termination of access will be by written notice and become effective upon receipt, and a 
copy of such notice shall be provided to DOL. Termination of access of one individual by either party does 
not affect other individuals authorized under this Agreement. 

34. USE OF DATA 

The data provided by DOL shall be used and accessed by USER only for the limited purposes of 
carrying out activities pursuant to this Agreement as described in USER’S application for access 
submitted prior to issuance of this Agreement and incorporated by reference herein. The data shall not 
be duplicated or redisclosed without prior written authority of DOL. USER or USER employees shall not 
use the data provided for any purpose not specifically authorized under this Agreement. 

35. PROHIBITED USE OF DATA 

1. USER shall not furnish to any person, association, or organization any of the information, or part 
thereof or provide a screen print obtained from DOL. All exceptions to the above must be pre¬ 
approved in writing by the Director of DOL, or the Director’s designee, setting out any limitations or 
conditions to which the approval is subject. Such written approval must be granted by the DOL 
prior to the requested use of, or release of, the information that is subject to the exception. 

2 . The personal use of information is strictly prohibited. 

3. The sale or other distribution of vehicle, owner name or address or driver name or address to 
another person is in violation of this Agreement. This subsection shall not prevent USER from 
requesting additional specific exceptions from this section from DOL, subject to prior written 
approval of, and any conditions imposed by, DOL. No exceptions shall be valid unless approved in 
writing by the Director of DOL or his/her designated designee, accompanied by a statement of 
conditions, if any, imposed on such approval, prior to the intended use of the information that is the 
subject of the exception. 

4. In the absence of actual delivery to and receipt by either party by mail or other means at an earlier 
date and/or time notice of termination shall be conclusively deemed to have been delivered to, and 
received by, the other party as of midnight of the third day following the date of its posting in the 
United States mail, addressed as provided herein. 
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ATTACHMENT B 
BUDGET 


36. COST PER RECORD 

1. HARD COPIES : 

When DOL is requested to provide hard copies of records to USER, USER agrees to pay DOL a fee 
covering DOL's direct cost for copying records, not to exceed fifteen cents ($.15) for each 
photocopy, seventy-five cents ($.75) for each copy of microfiche or imaged document, plus delivery 
costs. 

2. CERTIFICATION : 

When copies of records are requested, USER agrees to pay DOL a fee of one dollar and fifty cents 
($1.50) for each certification affixed to any print or photocopy, plus delivery costs. 

3. COMPUTER-GENERATED LISTS : 

USER agrees to pay DOL a fee covering DOL's direct cost for computer-generated lists. The fee for 
each request shall be agreed upon prior to DOL disclosing the information. 

DOL maintains the right to increase or decrease the fees for rendering service under this Agreement. 
Any amendment to the fees shall be subject to a change in the Agreement as provided herein. 


****THE REMAINDER OF THIS PAGE INTENTIONALLY LEFT BLANK**** 
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ATTACHMENT C 


Click H« to START or CLEAR. th*n nil the TAB button 

... Driver and Plate Search (DAPS) 

LICENSING Application Employee List 

We received your request tor access to the DAPS system Use this form to list the employees requiring DAPS access 
Submit the completed form to: 

Client Support 
Department of Licensing 
PO Box 2076 
Otympia. WA 98507-2076 

Email: dapscomm@dol.wa.gov 
Fax: (360) 570-4943 




TiLiramfvyimM 


We an commtm) !0 profiling equal acton :o our semcci 
a you need aec o rm o damn. please cal 13601902-3708 or TTY 13601664-0116 
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ATTACHMENT D 


•■•I'ltM mtf DWi'Mlsr u\ 

LICENSING 


Click h«r. to START or CLEAR IW h.t tho TAB button 

Driver and Plate Search (DAPS) 
Appropriate Use Declaration 


All DAPS users must sign this form Keep a signed copy of this declaration on file in your office - do not return I 
Department of Licensing. 

DAPS users will: 

1) Ensure the confidentiality and privacy of the information accessed 

2) Only use the information to accomplish official job duties. 
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ATTACHMENT E 

DEPARTMENT OF LICENSING (DOL) 

_ _ DATA SECURITY REQUIREMENTS _ _ 

37. DATA SECURITY REQUIREMENTS 

38. Data Classification 

DOL classifies data into 4 Categories: 

Category 1 - Public Information 

Public information is information that can be or currently is released to the public. It does not 
need protection from unauthorized disclosure, but does need integrity and availability 
protection controls. 

Category 2 - Sensitive Information 

Sensitive information may not be specifically protected from disclosure by law and is for 
official use only. Sensitive information is generally not released to the public unless 
specifically requested. 

Category 3 - Confidential Information 

Confidential information is information that is specifically protected from disclosure by law 
may include but is not limited to: 

• Personal information about individuals, regardless of how that information is obtained. 

• Information concerning employee personnel records. 

• Information regarding IT infrastructure and security of computer and telecommunications 

systems. 

Category 4 - Confidential Information Reguiring Special Handling 

Confidential information requiring special handling is information that is specifically 
protected from disclosure by law and for which: 

• Especially strict handling requirements are dictated, such as by statutes, regulations, or 

agreements. 

• Serious consequences could arise from unauthorized disclosure, such as threats to 

health and safety, or legal sanctions. 

39. Network Security 

Contractor agrees to maintain network security that conforms to generally recognized industry 
standards and best practices (See Section 49 Industry Standards) and apply these standards to their 
own network. At a minimum, Contractor’s network security must include the following: 

a) Network firewall provisioning 

b) Intrusion detection 

c) Quarterly vulnerability assessments 

d) Annual penetration tests (when data is Category 3 or above) 

40. Application Security 

Contractor agrees at all times to provide, maintain and support its software and subsequent updates, 
upgrades, and bug fixes such that the software is, and remains secure from those vulnerabilities as 
described in: 

a) The Open Web Application Security Project's (OWASP) “Top Ten Project"— 
http://www.owasp.org : 

b) The CWE/SANS Top 25 Programming Errors —http://cwe.mitre.org/top25/ or 
http://www.sans.org/top25-programming-errors/ . 


File Name: K4781 

Data Security Requirements, Attachment E 


Page 13 of 16 


7/24/2013 


DOL Contract No. K4781 
DOL Account No. 911184 
Contractor Contract No. 


41. Data Security 

Contractor agrees to preserve the confidentiality, integrity and accessibility of DOL data with 
administrative, technical and physical measures that conform to generally recognized industry 
standards (see Section 49 Industry Standards) and best practices that Contractor then applies to its 
own processing environment. 

42. Data Storage 

Contractor agrees that any and all DOL data will be stored, processed, and maintained solely on 
designated target servers and that no DOL data at any time will be processed on or transferred to any 
portable or laptop computing device or any portable storage medium. 

43. Data Transmission 

Contractor agrees that any and all electronic transmission or exchange of system and application data 
with DOL and/or any other parties expressly designated by DOL shall take place via secure means 
(using HTTPS or SFTP or equivalent) and solely in accordance with Section 45 Distribution of Data. 

44. Data Encryption 

Contractor agrees that any and all DOL data, in transit or at rest, defined as Category 3 or above, be 
encrypted using only NIST or ISO approved encryption algorithms. Encryption keys shall have strength 
of at least 112 equivalent bit strength: 

a) Symmetric encryption, minimum 128-bit key 

b) Asymmetric encryption, minimum 2048-bit key 

45. Distribution of Data 

Contractor agrees that any and all data exchanged shall be used expressly and solely for the 
purposes enumerated in the Current Contract and this Attachment. Data shall not be distributed, 
repurposed or shared across other applications, environments, or business units of Contractor. 
Contractor further agrees that no DOL data of any kind shall be transmitted, exchanged or otherwise 
passed to other contractors/vendors or interested parties except on a case-by-case basis as 
specifically agreed to in writing by DOL. 

46. Disposition of Data 

Unless otherwise specified in the Contract, Contractor agrees that upon termination of this 
Contract it shall erase, destroy, and render unrecoverable all DOL data and certify in writing that 
these actions have been completed within 30 days of the termination of this Contract or within 7 
days of the request of an agent of DOL, whichever shall come first. At a minimum, media 
sanitization is to be performed according to the standards enumerated by the National Institute of 
Standards, Guidelines for Media Sanitization, SP 800-88, Appendix A —http://csrc.nist.gov/ . 

47. Security Breach Notification 

Contractor agrees to comply with all applicable laws that require the notification of individuals in the 
event of unauthorized release of DOL data or other event requiring notification. In the event of a 
breach of any of Contractor’s security obligations, or other event requiring notification under applicable 
law, Contractor agrees to the following: 

a) Notify DOL by telephone and e-mail of such an event within 24 hours of discovery: 

DOL Help Desk, phone: (360) 902-0111; email: hlbhelp@dol.wa.gov. 

b) Assume responsibility for informing all such individuals in accordance with applicable state 
and federal laws. 

c) Indemnify, hold harmless and defend DOL and its trustees, officers, and employees from 
and against any claims, damages, or other harm related to such notification event. 

d) Mitigate the risk of loss and comply with any notification or other requirements imposed by 
law and implement any reasonable requirements from DOL that will mitigate future risk of 
loss. 
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48. Access to Data 

Access to the data will be restricted to authorized users by requiring a logon using a unique user ID 
and complex password or other authentication mechanisms which provides equal or greater security, 
such as biometrics or smart cards. Further, passwords must be changed on a periodic basis. 
Password complexity and changing of passwords shall conform to generally recognized industry 
standards (see Section 49 Industry Standards) and best practices. 

49. Industry Standards 

As a minimum standard, Contractor agrees to ensure information security in accordance with the 
current standards set forth in ISO/IEC 27000-series with an emphasis in ISO/IEC 27002 
http://www.27000.org/index.htm 


***THE REMAINDER OF THIS PAGE IS INTENTIONALLY LEFT BLANK*** 
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ATTACHMENT F 


Cue* -a>a to START oa CLEAR. than no tha TAa button 

Driver And Plate Search (DAPS) 

Employee List Modification 

Use this form to add. remove, or update user information for the DAPS system. Submit completed form to: 

Client Support 

Department of Licensing 

PO Box 2076 

Otympia. WA 98507-2076 

Email: dapscomm@dol.wa.gov 
Fax: (360) 570-4943 


*»un»trM 1*«1» D-*pn-iM«r M 

LICENSING 



Update user information 



ro-aexspwi* 


I. pm tta* out and sign and data haaa 


we are corrmtuo to prondng equal access to our sendees 
It you need accommodation please cal 13601902-3708 or TTV(360)664-0116 
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